WP Beacon

wpopal

@wpopal · wordpress.org profile ↗
Member since
2015-10-29
Location
Employer
Job title
Authored
27 (8 closed)
SVN commit access
12 (6 closed)
Readme contributor
0
Combined install base
3k+ across 27 plugins

Alerts (0)

No open alerts.

Show 1 resolved alert
Critical code_pattern Opal Woo Custom Product Variation Resolved · vendor_self_update_wpopal 1mo ago
Slugopal-woo-custom-product-variation
Patternpuc_update_hijack
Kindbuiltin
Version1.3.5
Hit count1
First hit
File
opal-woo-custom-product-variation.php
Line
65
Snippet
Puc_v4_Factory::buildUpdateChecker(
Explanationplugin calls `::buildUpdateChecker()` — the factory entry point of the Yahnis Elsts Plugin Update Checker library. A plugin distributed through wordpress.org that registers its own update source is bypassing the Plugin Review Team: every install polls the non-wp.org URL on cron and installs whatever JSON + zip it returns, with full plugin-author permissions. This is the mechanism behind the `anadnet`/quick-pagepost-redirect-plugin compromise (2021) where the author seeded 70,000+ installs through tagged releases and then removed the library from trunk to hide the persistence. Any URL argument pointing away from `downloads.wordpress.org`/`api.wordpress.org` is the hijack signal.
Shapehijack
Urlhttp://source.wpopal.com/plugins/opal/opal-woo-custom-product-variation.json
Url hostsource.wpopal.com
Slug argopal-woo-custom-product-variation
View raw JSON
{
    "slug": "opal-woo-custom-product-variation",
    "pattern": "puc_update_hijack",
    "kind": "builtin",
    "version": "1.3.5",
    "hit_count": 1,
    "first_hit": {
        "file": "opal-woo-custom-product-variation.php",
        "line": 65,
        "snippet": "Puc_v4_Factory::buildUpdateChecker("
    },
    "explanation": "plugin calls `::buildUpdateChecker()` \u2014 the factory entry point of the Yahnis Elsts Plugin Update Checker library. A plugin distributed through wordpress.org that registers its own update source is bypassing the Plugin Review Team: every install polls the non-wp.org URL on cron and installs whatever JSON + zip it returns, with full plugin-author permissions. This is the mechanism behind the `anadnet`/quick-pagepost-redirect-plugin compromise (2021) where the author seeded 70,000+ installs through tagged releases and then removed the library from trunk to hide the persistence. Any URL argument pointing away from `downloads.wordpress.org`/`api.wordpress.org` is the hijack signal.",
    "shape": "hijack",
    "url": "http://source.wpopal.com/plugins/opal/opal-woo-custom-product-variation.json",
    "url_host": "source.wpopal.com",
    "slug_arg": "opal-woo-custom-product-variation"
}

Plugins authored (27)

Plugin Version Installs Last updated Status
GG Woo Feed for WooCommerce Shopping Feed on Google and Other Channels ·gg-woo-feed 1.4.0 1k+ 6mo ago Active
Opal Service ·opal-service 1.9.1 900 3y ago Active
Opal Mega Menu ·opal-megamenu-for-elementor 1.1.16 400 3y ago Active
Opal Woo Custom Product Variation ·opal-woo-custom-product-variation 1.3.5 400 1mo ago Active
Opal Portfolio ·opal-portfolios 1.0.4 100 7y ago Active
Opal Estate Custom Fields ·opal-estate-custom-fields 1.0.5 50 5y ago Active
GG Multiple Payment Routing for WooCommerce – Split and manage PayPal, Stripe accounts ·gg-multiple-payment-routing 1.0.8 30 5y ago Active
Wpopal Medical ·wpopal-medical 1.0.4 20 4y ago Active
GG Auto Move ·gg-auto-move 1.0.2 10 5y ago Active
GG eBay Management ·gg-ebay-management 1.0.2 10 5y ago Active
OPAL SOCIAL LOGIN ·opal-social-login 1.0.0 10 7y ago Active
Opal Upsale Quantity for Woocommerce ·opal-upsale-quantity-for-woocommerce 1.3.0 10 6mo ago Active
GTG Product Blocks ·gtg-product-blocks 1.0.0 10 5y ago Active
Opal Estate Packages ·opal-estate-packages 1.0.5 10 5y ago Active
Opal Product Collection for WooCommerce ·opal-product-collection-woocommerce 1.3.0 10 6mo ago Active
Opal Estimated Delivery for Woocommerce ·opal-estimated-delivery-for-woocommerce 1.3.0 6mo ago Active
GG Bought Together for WooCommerce ·gg-bought-together 1.0.2 Closed
GutenGeek Free Gutenberg Blocks for WordPress ·gtg-advanced-blocks 1.1.3 Closed
Opal Sync Media to Amazon S3 ·opal-aws-s3 1.3.0 6mo ago Active
Opal Size Charts for WooCommerce ·opal-size-charts-for-woocommerce 1.3.0 6mo ago Active
Opal Estate ·opal-estate 1.6.11 Closed
Opal Estate Pro – Property Management and Submission ·opal-estate-pro 1.7.7 Closed
Opal Hotel Room Booking ·opal-hotel-room-booking 1.2.7 Closed
Opal Membership ·opal-membership 1.2.4 Closed
Opal Widgets For Elementor ·opal-widgets-for-elementor 1.6.9 Closed
Opal Bulkedit for Woocommerce ·opal-bulkedit-for-woocommerce 1.3.0 6mo ago Active
Wpopal Core Features ·wpopal-core-features 1.5.9 Closed

SVN commit access (12)

Plugins this account has pushed commits to, reconstructed from plugins.svn.wordpress.org. A new name showing up here on an established plugin is the strongest ownership-transfer signal.

Plugin Primary author Installs Commits First Latest Status
Opal Estate wpopal 428 9y ago 5y ago Closed
Opal Hotel Room Booking wpopal 283 9y ago 6y ago Closed
Opal Estate Pro – Property Management and Submission wpopal 157 6y ago 1y ago Closed
Opal Widgets For Elementor wpopal 123 7y ago 2y ago Closed
Wpopal Core Features wpopal 119 7y ago 2y ago Closed
Opal Service wpopal 900 33 7y ago 3y ago Active
Opal Woo Custom Product Variation wpopal 400 32 2y ago 1mo ago Active
Opal Mega Menu wpopal 400 32 7y ago 3y ago Active
Opal Membership wpopal 29 6y ago 2y ago Closed
Opal Estate Custom Fields wpopal 50 9 6y ago 5y ago Active
Opal Portfolio wpopal 100 9 7y ago 7y ago Active
GG Woo Feed for WooCommerce Shopping Feed on Google and Other Channels wpopal 1k+ 8 2y ago 6mo ago Active